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Abstract 

It is well known that unconditionally secure bit commitment is impossible even in the 
quantum world. In this paper a weak variant of quantum bit commitment, introduced 
independently by Aharonov et al. and Hardy and Kent jH] is investigated. In this 
variant, the parties require some nonzero probability of detecting a cheating, i.e. if Bob, 
who commits a bit b to Alice, changes his mind during the revealing phase then Alice 
detects the cheating with a positive probability (we call this property binding); and if Alice 
gains information about the committed bit before the revealing phase then Bob discovers 
this with positive probability (sealing). In our paper we give quantum bit commitment 
scheme that is simultaneously binding and sealing and we show that if a cheating gives 
£ advantage to a malicious Alice then Bob can detect the cheating with a probability 
£!(e 2 ). If Bob cheats then Alice's probability of detecting the cheating is greater than 
some fixed constant A > 0. This improves the probabilities of cheating detections shown 
by Hardy and Kent and the scheme by Aharonov et al. who presented a protocol that is 
either binding or sealing, but not simultaneously both. 

To construct a cheat sensitive quantum bit commitment scheme we use a protocol for a 
weak quantum one-out-of-two oblivious transfer ((^)-OT). In this version, similarly as in 
the standard definition, Alice has initially secret bits ao, a\ and Bob has a secret selection 
bit i and if both parties are honest they solve the (^)-OT problem fulfilling the standard 
security requirements. However, if Alice is dishonest and she gains some information 
about the secret selection bit then the probability that Bob computes the correct value is 
proportionally small. Moreover, if Bob is dishonest and he learns something about both 
bits, then he is not able to gain full information about one of them. 



1 Introduction 

In bit commitment protocol Bob commits a bit b to Alice in such a way that Alice learns 
nothing (in an information theoretic sense) about b during this phase and later on, in the 
revealing time, Bob cannot change his mind. It is well known that unconditionally secure 
bit commitment is impossible even when the parties use quantum communication protocols 
(|1()| Thus, much effort has been focused on schemes using some weakened security 

assumptions. 

In a weak variant of quantum bit commitment, introduced independently by Aharonov et al. [2] 
and Hardy and Kent jH], the protocol should guarantee that if one party cheats then the other 
has good probability of detecting the mistrustful party. Speaking more precisely, we require 
that if Bob changes his mind during the revealing phase then Alice detects the cheating with 
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a positive probability (we call this property binding) and if Alice learns information about the 
committed bit before the revealing time then Bob discovers the leakage of information with 
positive probability (sealing property). 

In [H] Hardy and Kent give protocol that is simultaneously sealing and binding and prove 
that if Alice (Bob) uses a strategy giving e > advantage then Bob (Alice, resp.) can detect 
the cheating with a probability strictly greater then 0. The authors do not analyze, however, 
the quantitative dependence of the probability on e. In j2] Aharonov et al. present a similar 
protocol to that proposed in jH] such that after depositing phase either Alice or Bob challenges 
the other party and (1) when Alice asks Bob to reveal b and Bob influences the value with 
advantage e then she detects the cheating with probability ^(e 2 ) and (2) when Bob challenges 
Alice to return the depositing qubit and Alice predicts b with advantage e then Bob detects 
the cheating with probability ^(e 2 ). Thus the protocol is either binding or sealing, but not 
simultaneously both (the authors therefore call the protocol a quantum bit escrow). Aharonov 
et al. left open whether simultaneous binding and sealing can be achieved. 
In our paper we give the first, up to our knowledge, QBC scheme that is simultaneously 
binding and sealing such that if Alice's cheating gives e advantage then Bob can detect the 
cheating with a probability which is Q{s 2 )- If Bob cheats (anyhow) then Alice's probability 
of detecting the cheating is greater than some fixed constant A > 0, i.e. when Bob decides 
to set the value b to or to 1 and in the revealing time wants to change his mind then for 
any strategy Bob uses the probability that Alice detects this attack is greater than A. To 
construct such scheme we use a protocol for a weak variant of quantum oblivious transfer. 

1.1 Our Contribution 

In the one-out-of-two oblivious transfer problem (( 2 )-OT, for short) Alice has initially two 
secret bits ao, ai and Bob has a secret selection bit i. The aim of a ( 2 )-OT protocol is disclosing 
the selected bit ai to Bob, in such a way that Bob gains no further information about the 
other bit and Alice learns nothing at all. The problem has been proposed by Even et al. as 
a generalization of Rabin's notion for oblivious transfer ^2j. Oblivious transfer is a primitive 
of central importance particularly in secure two-party and multi-party computations. It is 
well known (0111) that ( 2 )-OT can be used as a basic component to construct protocols 
solving more sophisticated tasks of secure computations such as two-party oblivious circuit 
evaluation. Several secure OT protocols has been proposed in the literature (HI El IE] however, 
even in quantum world, there exists no unconditionally secure protocol for ( 2 )-OT see e.g. 

EH)- 

In this paper we define a weak variant of one-out-of-two oblivious transfer. Similarly as in the 
standard definition, in a weak ( 2 )-OT protocol Alice has initially secret bits ao, a\ and Bob has 
a secret selection bit i and if both parties are honest 1 they solve the ( 2 )-OT problem fulfilling 
the standard requirements. However if Alice is dishonest and she gains some information 
about the secret selection bit then the probability that Bob computes the correct value is 
proportionally decreased. Moreover, if Bob is dishonest he can learn about both bits, but if 
he does so then he is not able to gain full information about one of them. 
In the paper we present a weak ( 2 )-OT protocol which, speaking informally (precise definitions 
will be given in Section EJ, fulfills the following properties. 

• If both Alice having initially bits ao, a\ and Bob having bit i are honest then Bob learns 
the selected bit a«, but he gains no further information about the other bit and Alice 
learns nothing. 

1 We say that a party is honest if it never deviate from the given protocol. 
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• If Bob is honest and has a bit i and Alice learns i with advantage e then for all 
ao, a\ G {0, 1} the probability that Bob computes the correct value dj, when the protocol 
completes, is at most 1 — Sl(e 2 ). 

• If Alice is honest and has bits ao,a\ then for every i E {0, 1} it is true that if Bob can 
predict the value a\-% with advantage e then the probability that Bob learns correctly 
di is at most 1 — ^(e 2 ). 

The protocol can be used e.g. by the mistrustful parties for which computing the correct result 
of ©-OT is much more preferential than gaining addition information. In this paper we show 
an application of the protocol for parties who require some nonzero probability of detecting a 
cheating. Let us consider the following bit commitment protocol, where v := OT((ao, a{), i) 
means, for short, that Alice having initially oo, a\ and Bob knowing i perform the weak ( 2 )-OT 
protocol and when the protocol completes Bob knows the result v. 

Protocol 1 (Cheat sensitive QBC) B commits bit b; 

• Depositing phase 

1. A chooses randomly bits 0,0,0,1,0,2,0,3; B chooses randomly bits b' and c; 

2. A and B compute 

vq := OT((a , d), b'); v\ := OT((a 2 , a 3 ), b) if c = or 
v := OT((a ,ai),b); v\ := OT({a 2 , a 3 ), b') ifc=l. 

3. B reveals c. 

• Revealing phase B reveals b; 

o Sealing test: A sends to B a2 C ,02c+i; B rejects when v c ^ OT((a2 C , a2c+l), b'). 
o Binding test: B sends to A v\- c ; A rejects when V\- c 7^ OT((a 2 _2 C )) a 3-2c)j 

One of the main results of this paper says that using our weak (^)-OT protocol, the bit 
commitment protocol above has the following properties: (1) If both Alice and Bob are 
honest, then before revealing time Alice gains no information about b and at the revealing 
phase both Bob and Alice accept; (2) if Alice learns b with advantage e then Bob detects 
cheating with probability ^(e 2 ), and (3) if Bob tries to change b during the revealing phase 
then for any strategy he uses the probability that Alice detects the cheating is greater than 
some positive constant. 

The paper is organized as follows. In Section |2 some basic quantum preliminaries are given. 
In Section [HI we define formally properties of a weak ( 2 )-OT protocol and prove that the given 
scheme fulfills the properties. Section Q] gives formal definition of binding and sealing and 
proves that Protocol ^ is simultaneously binding and sealing. 

2 Preliminaries 

The model of two-party computation we use in this paper is essentially the same as defined 

in [2]. We assume that the reader is already familiar with basics of quantum cryptography 

(see (2] for an exemplary summary of results that will be used in the following). 

Let |0),|1) be an encoding of classical bits in our computational (perpendicular) basis. Let 

|0 X ) = ^|(|0) — |1))> 1 1 x } = ^TjdO) + be an encoding of classical bits in diagonal basis. 

By R a , a G {0, \, 1}, we denote the unitary operation of rotation by an angle of a-ir/2. More 

formally: 

/ cos(a • 5) sin(a • |) \ 

a ' \ — sin(a • 5) cos(a • |) J 
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We should note that this operation allows us to exchange between the bit encoding in per- 
pendicular and in diagonal basis. Moreover, by applying R\ we can flip the value of the bit 
encoded in any of those two bases. 

For a mixed quantum state p and a measurement O on p, let p° denote the classical dis- 
tribution on the possible results obtained by measuring p according to O, i.e. p° is some 
distribution p±, . . . ,p t where pi denotes the probability that we get result i. We use Li-norm 
to measure distance between two probability distributions p = (pi, ■ ■ ■ ,Pt) and q = (qi, . . . ,q t ) 
over {1,2,. . . ,t}: \p - q\i = \ Y? i= i \Pi ~ <li\- 

Let \\A\\t = ti(VA^~A) 7 where tr(yl) denotes trace of matrix A. A fundamental theorem gives 
us a bound on Li-norm for the probability distributions on the measurement results: 

Theorem 1 (see [lj) Let po, p\ be two density matrices on the same Hilbert space TL. Then 
for any generalized measurement O \p® — p®\\ < |||/9o — Pl\\t- This bound is tight and the 
orthogonal measurement O that projects a state on the eigenvectors of po — p\ achieves it. 

A well-known result states that if \4>i), |</>2) are pure states, then || |$>i)(</>i| — |02}(</>2| ||t = 
2V1-|<<N02>| 2 . 

Lemma 1 Suppose Bob has a bit b s.t. Pr[6 = 0] = 1/2 and let Alice generate a state with 
two quantum registers. Assume she sends the second register to Bob, then Bob depending 
on b makes some transformation on his part and sends the result back to Alice. Denote 
by po density matrix of the resulting state for b = and by pi density matrix of the state 
for 6 = 1. Then for any measurement O Alice makes and a value v Alice learns we have 

pv bERm} [ V = b] < 

The proof of this lemma follows by some straight forward calculations and will be skipped 
in this extended abstract. We will use some obvious variations of this lemma to bound the 
advantage of Alice resp. Bob in what will follow. 



3 Weak Oblivious Transfer 

In this section we give the formal definition of the weak (^)-OT protocol and then present 
protocol for this problem. 

Definition 1 We say that a two-party quantum protocol between Alice and Bob is a (6, e)-weak 
i^A-OT protocol if the following requirements hold. 

• If both Alice depositing initially bits ao,ai and Bob having bit i are honest then Bob 
learns the selected bit ai but in such a way that he gains no further information about 
the other bit and Alice learns nothing. 

• Whenever Bob is honest and has a selection bit i, with Pr[i = 0] = 1/2, then for every 
strategy used by Alice, every value i' Alice learns about i and for any value a' Bob learns 
at the end of the computation it holds that for all ao, a± € {0, 1} 

*/ Pr iG fl {o,i} [*' = i}> 1/2 + 5 then Pr iefl{0i i} [a' = Oj] < 1 - e. 

• Whenever Alice is honest and deposits bits ao,a\, with Pr[oj = 0] = 1/2, then for every 
strategy used by Bob, all values a' ,a± Bob learns about ao,a\, resp. it holds that for all 
i e {0, 1} «f Pr a0iai6i j {0 ,i}[ai_i = ai-i] > 1/2 + 5 then Pr a0iaieij{0 ,i} [a- = a*] < 1 - e. 
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Protocol 2 (©-OT function) Input A : a ,oi G {0,1}, 5 : i G {0,1}; Output B : a*. 

1. A chooses randomly a G# {0, |} and /jGr {0, 1} and sends to -B: 

i?a|ai © h) <g> i? Q |ao © h) 

2. B receives \<&\) © , chooses randomly [3 G_r {0,1} and sends Rp\$>i) back to A. 

3. A receives |3>), computes R' 1 ^), measures the state in computational basis obtaining the 
result n and sends m = n (£> h to B. 

4- B receives m and computes dj = m © (3. 

Here, as usually, © denotes xor. Note that this protocol computes (^)-OT correctly if both 
parties are honest. We will now focus on the question whether Protocol El still retains security 
if we use it against malicious parties. The following theorem follows from Lemma and 01 
which will be proven in the remaining part of this section: 

Theorem 2 Protocolfflis (0($e), e)-weak (I) -OT protocol. 
3.1 Malicious Alice 

Lemma 2 Let Alice and Bob perform Protocol^ and assume Bob is honest and deposits a 
bit i, with Pr[i = 0] = 1/2. Then for every strategy used by Alice, every value i' Alice learns 
about i and for any value a' Bob learns at the end of the computation it holds that for all 
0-0,0-1 G {0, 1} if Pr iei?{0>1 } [a' = Oi] > 1 - £ then Pr ieij{0;1 } [i' = i] < 1/2 + lGy/e. 

Proof: Any cheating strategy A of Alice can be described as preparing some state |$) = 
^2 X £{oi} 2 \ v xi x )i sending the two rightmost qubits to Bob and perform some measurement 
{Hq, Hi, H2, H3} on this what she gets back after Bob's round, where Hq,H\,H2, H3 are four 
pairwise orthogonal subspaces being a division of whole Hilbert space that comes into play, 
such that, for I, k = 0, 1, if our measurement indicates the outcome corresponding to H2k+i. 
then it reflects Alice's belief that i = I and that the message m = k should be sent to Bob. 
Assume now, that ao © a\ = 0. We should note that in this case m © ao = (3. So Alice, 
in order to ensure the correct result of the protocol, has to indicate the value of (3. Let 
\S) = 1^00)00) + |t>n, 11), \A) = |uqi,01) + \vio, 10). That is, \S) is a part of the state that is 
symmetric with respect to qubits being sent to Bob and \A) is the rest being anti-symmetric. 
Let p 0) 6 be a density matrix of Alice's system after Bob's round, corresponding to i = a and 
(3 = b. After some calculations we get: 

Po,o = Ex=( :ci , :C2 )e{0,lp \vxXi){v x xx\ 

+Ko0)(«iol| + |«iol)(«oo0| + |«iil)(«oi0| + I vol 0) (fnl I 

Po,i = £x=(zi,a2)e{o,i} 2 K^K^Tl 

-|«ool)(«io0| - |«io0)(«ool| - Ki0)(uoil| - \v il){v n 0\ 

Pl,0 = Ex=(x 1 ,x 2 )6{0,l}2 \VxX 2 )(v x X 2 \ 

+|uooO)(«oil| + boil) (woo 1 + |«nl)(uioO| + |«ioO)(«iil| 

Pl,l = Ex=(xi,xa)e{0,l}»l t, * 5 2)( u * S 2l 

-\v o0 l}{v 01 0\ - \v i0)(v 00 l\ - |«ii0)(ui l| - \v w l)(v n 0\ ■ 
where x~i means nipping bit Xt, i.e. ~x~i = 1 — Xt- 

We look first onto possibilities of Alice's dishonest behaviour. In order to cheat, Alice has to 
distinguish between density matrices = \pifi + \pi,i, where 7; corresponds to i = I. By 
examination of the difference of those matrices we get after some calculations that: 

70 - 7i = ^s0)(Va1| + i|VAl)(Vs0| - \\V s l)(V A U\ - ~|Fa0)(F s 1| 
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where \Vs) = \vqo) + \vu) and \Va) = \v\o) — \vq\). We can easily adapt LemmaHto show 
that the advantage 5 of Alice is at most Xw=o ai wnere 

a L = 1^(70-71)^)1 < T,Mo,i}h\ tr ( H i(\Vs(j ~ i))(V A j\ + \V A j)(VsU ~ 1)1)^)1 

< E i6{0 ,i}(Koj|^i)|- 1(^(1 -j)|o})|) 

< E je{0 ,i}im^i)l 

and |Oj) is an orthogonal, normalized projection of \Vaj) onto subspace Hi. The second 
inequality is true because we have tr(Hi\ Vaj) (ip\H^) = (Oj\VAj){ip\O l j) for every state \tfi). 

Let jl be the index for which |<OjjVkj'z>| > |<Oi_ A | Va(1 - Ji)> |. Clearly, a { < 2\(O l n \V A ji)\. 
Moreover, we assume that ao + °"i > °2 + o"3- If this is not the case we could satisfy this 
condition by altering the strategy A of Alice (by appropriate rotation of her basis) in such a 
way that the definitions of H^ and -f/fc+2 would swap leaving everything else unchanged. 
We look now on the probability of obtaining the correct result by Alice. The probability po 
of Alice getting outcome /3 = in case of = 1 is at least 

Pd>i(oS,Kx|oS,) + i(^,|pi,il^> = 

±|(O> 00 l) - <0°>oiO>| 2 + ±|<0°>ool> - <0>ioO)| 2 
+i|<O°>n0) - <0>oil)| 2 + i|<0>ii0> - <O> 10 l)| 2 . 

So, by inequality \a — b\ 2 + \a — c\ 2 > — c| 2 we get that 

po > |l(o° KiO)-(oo o KoO)| 2 + iKo? | Uo ii)-(o^Koi)| 2 

= ||(OP |^0)| 2 + i|(O? |^l)| 2 > ±al 

Similar calculation of the probability p\ of getting outcome = 1 in case of /3 = yields that 
the probability of computing wrong result is at least 

p r[/3 ' ^/3} = Pv[f3 © m ^ a,] > ±(a 2 + a\) > ^(£ <?i? ■ 

1=0 

Hence, the lemma holds for the case ao © a\ = 0. 

Since in case of oo © a\ = 1 the reasoning is completely analogous - we exchange only the 
roles of \Vs) and \Va) and Alice has to know the value of f3 © i in order to give the correct 
answer to Bob, the proof is concluded. 1 
To see that quadratical bound imposed by the above lemma can be met, consider |$>) = 
VI — e|000) + a/^I HO) - Intuitively, we label the symmetric and anti-symmetric part of |<&) 
with and 1. Let H2 = |01)(01|, i/3 = 0. One can easily calculate that 

p ,o = (1 -e)|00><00| + Ve(l-e)(|00)(ll| + |11)(00|) + e|ll)(ll| 

pi,o = (l-£)|00)(00|+£|10)(10| 

and therefore 1 1 /0o,o — y°i,o||i > v ^(1 ~ £ ) ~ 2s. So, by Theoren ^ there exists a measurement 
{Hq,Hi} allowing us to distinguish between those two density matrices with y/e(l — e) — 2e 

accuracy and moreover H2, H3-LH0, Hi since tr(i^2/Oo,o^2) = ^{^PifiH^) = 0- Now, let 
M = {Hq, Hi, H2, H3} be Alice's measurement. To cheat, we use the following strategy A 
corresponding to her input ao = a% = 0. Alice sends |<3?) to Bob, after receiving the qubit 
back she applies the measurement M. If the outcome is H2 then she answers ao © f3 = 1 to 
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Bob and sets i' = with probability |, in the other case she sends ao © /? = to Bob and 
according to the outcome being or 1 she sets i' = (V = 1). 

To see that this strategy gives correct result with probability greater than 1 — e we should 
note that probability of outcome H2 in case of j3 = is and in case of (3 = 1 is 1 — e. 
Therefore, since /? = with probability 5, our advantage in determining the input of Bob is 
greater than \\[& — §£. 

3.2 Malicious Bob 

Now, we analyze Bob's possibility of cheating. 

Lemma 3 Let Alice and Bob perform Protocol^ Assume Alice is honest and deposits bits 
ao, ai, with Pr[aj = 0] = 1/2. Then for every strategy used by Bob and all values a' , a[ which 
Bob learns about ao,a\, it holds that: for all i G {0, 1} 

ifP*ao, ai e R {o,i}[4 = a { ] > 1 - e 2 then Pr ao , aiGil {o,i} = a i-i] < V 2 + 16>/2e. 

Proof: Consider some malicious strategy B of Bob. Wlog we may assume that the probability 
of a' = ao is greater than the probability of a[ = a\. Our aim is to show that 

if p roo,oi6K{o,i}K ^ °o] < e2 then Pr a0)ai6K { ,i}K = a x ] < 1/2 + 16\/2e. 

Strategy B can be think of as a two step process. First a unitary transformation U is acting on 
\&ao,ai,h) = \ v ) © Ra\ai © h) © i? Q |ao © where v is an ancillary state 2 . Next the last qubit 
of f7(|$oo,ai,?i}) is sen t to Alice 3 , she performs step 3 on these qubit and sends the classical bit 
m back to Bob. Upon receiving m, Bob executes the second part of his attack: he performs 
some arbitrary measurement {Hq, H%, H2, #3}, where Hq (H\) corresponds to Bob's belief 
that ao = 0, ai = (resp. 00 = 0, a\ = 1) and H2 (#3) corresponds to ao = 1 and a\ = 
(resp. ao = 1 and a\ = 1). In other words, outcome corresponding to H 2 i+k implies a' Q = I 
and a'i = k. 

The unitary transformation U can be described by a set of vectors {V^} such that U(\v) © 
K>i)) = l^o J ) ® |0) + ® O r alternatively in diagonal basis, by a set of vectors {Wjf} 
such that U(\v) © |/ x ,Jx)) = \Wq J ) © |0 X ) + |W^ J ') © |l x ). 

We present now, an intuitive, brief summary of the proof. Informally, we can think of U as 
about some kind of disturbance of the qubit R a \ao © h) being sent back to Alice. First, we 
will show that in order to cheat Bob's U has to accumulate after Step 2, till the end of the 
protocol, some information about the value of ao © a hidden in this qubit. On the other hand, 
to get the proper result i.e. the value of ao, this qubit's actual information about encoded 
value has to be disturbed at the smallest possible degree. That implies for Bob a necessity 
of some sort of cloning that qubit, which turns out to impose the desired bounds on possible 
cheating. We show this by first reducing the task of cloning to one where no additional hint in 
the form of R a \a\ © h) is provided and then an analysis of this simplified process. Therefore, 
the proof indicates that the hardness of cheating the protocol is contained in the necessity 
of cloning, which gives us a sort of quantitative non-cloning theorem. Although, it seems to 
concern only our particular implementation of the protocol, we believe that this scenario is 
useful enough to be of independent interests. 

2 Note that this does not restrict Bob's power. Particularly, when Bob tries to make a measurement in the 
first step then using a standard technique we can move this measurement to the second step. 
3 We can assume wlog that the last qubit is sent since U is arbitrary 
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We analyze first Bob's information gain about a\. Wlog we may assume that Bob can distin- 
guish better between two values of a\ if oo = 0. That is 

Pr aiefl{o,i}K = aiko = 0] > Pr ai6K{0 ,i}[a'i = a x \a Q = 1]. 

Let now Pj,k,i be a density matrix of the system before Bob's final measurement, corresponding 
to a = j ■ 2, h = k, ai = I and ao = 0. The advantage S of Bob in this case (i.e. 5 such that 
Prfa^ = a\ | ao = 0] = 1/2 + 8) can be estimated by LemmaQby Bob's ability to distinguish 
between the following density matrices: 

l(po,o,o + Pi,o,o + Po,i,o + Pi,i,o) (case ai = 0), and 
i(po,o,i + Pi,o,i + Po,i,i + (case a x = 1). 

Using the triangle inequality we get that for the measurement O performed by Bob 

& < l(\Po,o,o ~ + \P?,i,o ~ /°So,ili + l^i.o " PoaiIi + \p?,o,o ~ (!) 

Each component corresponds to different values of a and h ® a\. And each component is 
symmetric to the other in such a way that there exists a straight-forward local transformation 
for Bob (i.e. appropriate rotation of the computational basis on one or both qubits) which 
transform any of above components onto another. So, we can assume wlog that the advantage 
in distinguishing between po,o,o and Po,i,l = IPooo — Poi ill ' s the maximum component 
in the right-hand side of the inequality (QJ and therefore we have 5 < |#o- Let, for short, 
7o = /°o,o,o an d 7i = Po,i,i- One can easily calculate that 

70 = |0)(0|®|y 00 )(Cl + |l)(l|®l^ 00 >(^ 00 | (2) 

71 = |0><0| (8) |^ 01 ><Vi 01 | + |1)<1| |Vb 01 ><Vb 01 |. (3) 

As we can see to each value of m in above density matrices corresponds a pair of vectors which 
are critical for Bob's cheating. I.e. the better they can be distinguishable by his measurement 
the greater is his advantage. But, as we will see later, this fact introduces perturbation of the 
indication of the value of ao. 

First, we take a look on the measurements Hq, H\ performed by Bob. Let us define o"2 m + p 
for p,m £ {0, 1} as follows 

' \tr{H p \W° p ){W* p \Hl) - tr{H p \W^ p \w^- p) \Hl)\ if m = 0, 

k ^^(^^^^(ix^i^) _ ^(i^iiv-p^-^xii^d-^i^t)! ifm = L 

Let for m = 0, po £ {0, 1} be such that a po > cri- po and similarly, for m = 1 let p\ G {0, 1} 
be such that 02+pi > °"2+(i-pi)- Then we get 

l7o°-7f|i = Y,t=a\tr(H tl0 Hl)-tr(H tll Hl)\ 

< 2(a P0 + a 2+Pl ) + Zt=2 \tr(H tl0 H\) - tr(H tll H\)\. 

We should see first that the second term in the above sum corresponds to advantage in 
distinguishing between two values of a\ by measurement H2, H3 in case of ao = 0. But those 
subspaces reflect Bob's belief that ao = 1. Therefore, we have that 

3 

\tr{H m H\) - tr{H tll H\)\ < Pr^^o,!}^ + a \a = 0]. 

t=2 
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So, we can neglect this term because it is of the order of the square of the advantage (if not 
then our lemma would be proved). Hence we get: ^ < a Po + cr 2 + Pl . 

Now, we define projection O m as follows. For m = let Oq be the normalized orthogonal 
projection of |0V^f°) onto the subspace H Po if 

tr(H po \ov p y)(ov p °™\Hl ) > ^(^joy^^oy^^tj. 

Otherwise, let Oq be the normalized orthogonal projection of lOVj ^^) onto H po . Analo- 
gously, we define 0± as a normalized orthogonal projection of IIV/^) onto the subspace H Pl 
if 

tr{H p ^W^){W^\Hl) > tr{H p ^W^-^){W^\Hl) 
else 0\ is a normalized orthogonal projection of (lV^ / 1 Pl ^) onto H Pl . Hence we get 

a po < \\(0V p y\O )\ 2 - |(0^7 0) |O )| 2 |, a 2+pi < \\{W^_ pi \0^ - KlV^-^O^. 

We would like now to investigate the probability of obtaining the correct result. Recall that 
Pr[ai = 0] = \. We should first note that the density matrices corresponding to initial config- 
uration of the second qubit R a \a>i © h) is now exactly ^|0)(0| + ^|1)(1| even if we know h and 
a. So, from the point of view of the protocol those two configurations are indistinguishable. 
Therefore, we can substitute the second qubit from the initial configuration with a random bit 
r encoded in perpendicular basis and the probability of obtaining proper result is unchanged. 
We analyze the probability of computing the correct result in case of r = 0. Note, that the 
vectors {V^}k,j still describe U, but vectors {W^}kj are different, defined by U acting now 
on initial configuration \v) <8> |0) <8> R a \j) , with a = \. We investigate the correspondence 
between {V^}k,j and the new vectors. For j = we have: 

I7(|«00 x » = ^tf(|t,00> - |«01» = 7i(^o 00 |o) + vi 00 |i)-y 01 |o)-vi 01 |i)) 

= ^ 00 - vf° - y 01 + ^)|o x > + (y 00 + v?° - y 01 - vi 01 )|i x »). 

Similarly, for j = 1 we have: 

i/(|«oi x » = ^u(\v00) + \vQi)) = ^(^ 00 |o) + ^ 1 00 |i) + y 01 |o) + y 1 01 |i)) 

= ^ 00 - vr + C - ^)|0 X ) + (V™ + V?° + + ^)|l x ))). 
Thus, let us denote these vectors by 

W 00 = '-((V™ + ^i 01 ) - + O), = \({V§° - vn - (V 01 - V? )), 

= i((y 00 - v? 1 ) + - O), W = \{{v™ + v?) + + v? )). 

In order to obtain the correct result Bob has to distinguish between the density matrices 
corresponding to two values of ao- In particular, he has to distinguish between density matrices 
7o, j'i corresponding to two possible values of oo knowing that m = 0. These density matrices 
are: 

70 = ^|0><0| (S) (|^o 00 ><"^) 00 | + I^XW 31 ! + l^o 00 ><^o 00 | + l^i 01 X^i 01 |), (4) 

71 = ^|o)<o| o (IVo^xVo 01 ! + l^xvi 00 ! + |Wo 01 ><^o 01 l + Iv^DW 00 !)- (5) 
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Now, the probability of failure i.e. the probability that in case of m = Bob's measurement 
indicates that ao = if in fact it is oq = 1, is at least 

tr(H po7 [Hl ) > *r(|0 )(OoK) = ^ (| {0T^ 01 |O ) | 2 +| <0^ |O ) | 2 +| (0^ 01 |O > | 2 +| (0^° |O ) | 2 )- 
But since the fact that 

^o 01 = ~((V 00 ~ vn + (V? 1 - V? )), W? = ^((C - ^i 01 ) - " V? )), 

and the parallelogram law (|a + b\ 2 + \a — b\ 2 = 2\a\ 2 + 2|6| 2 ), we have that this probability is 
at least 

\(\(0W m \O )\ 2 + \(OW?°\Oo)\ 2 ) > l\(ov 00 \o ) - (O^lOo)! 2 
> ±(\(W™\O )\ - |{OT4 01 |0 )|) 2 (KOV 00 |Oo)| + K0^|Ob)|) a 

>^(|(oy 00 |Oo)| 2 -Koy 1 01 |o )l 2 ) 2 >^. 

Similarly we analyze density matrices 7^, 7" corresponding to two possible values of ao know- 
ing that m = 1. These density matrices are equal to resp. 7J and 7 after changing |0)(0| to 

|1)(1|. Now, by repeating completely analogous estimation of failure's probability with usage 

2 

of vectors |V^ 01 ) , l^ 00 ), |W 00 ) and \W^), we get that this probability is at least There- 
fore, since the vectors involved in imposing failure in both cases are distinct, we conclude that 

Pr aigfl { ,i}[ a o / a o| r = 0] > P0 3 2 +P1 ■ Hence we have 




{0,1} K ^ a o\ r = 1] 



and the lemma is proved. 

Finally, it is worth mentioning that the value of m doesn't need to be correlated in any way 
with value of a^. That is, Bob by using entanglement (for instance, straightforward use of Bell 
states) can make the value of m independent of aj and still acquire perfect knowledge about 
Oj . He uses simple error-correction to know whether m = d{ orm = 1 — aj . His problems with 
determining whether flip has occurred, start only when he wants additionally to accumulate 
some information about the value of aj © h. I 
To see that this quadratical bound can be achieved consider the following cheating strategy. 
Let U* be such that U*(\v) ® = \vj) © So, \V-' j ) = \ Vj ) \l) and |^-) = 0. 

Moreover, let (vo\vi) = y/1 — e. As we can see, usage of U* accumulates some information 
about value of j = ao®h by marking it with two non-parallel (therefore possible to distinguish) 
vectors in Bob's system. We do now the following. We use U* on |«)® J?a|ai © h)(BR a \o-o © h) 
and send the last qubit to Alice. When we get the message m which is exactly ao with 
probability 4 of order 1 — e, we make an optimal measurement to distinguish between vo and 
v±. By Theorem^this optimal measurement has advantage of order yfe. So, after getting the 
outcome f , we know that Pr[j' = ao © h] > \ + £l(y/e) and we can simply compute the value 
of h! = m®j'. Having such knowledge about the value of h' we can distinguish between values 
of ai encoded in the second qubit R a \a\ © h) with the advantage proportional to Q(y/e). 

4 This can be easily computed - the perturbation arises when a = \ . 
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4 Cheat Sensitive Quantum Bit Commitment 



We recall first a formal definition of the binding and sealing property of a quantum bit 
commitment. We follow here the definition by Aharonov et al. Let us start with the 
binding property. Assume Alice follows the bit commitment protocol and Bob is arbitrarily. 
During the depositing phase Bob and Alice compute in some rounds a super-position \iPab) 
with two quantum registers: one keeping by Bob and one by Alice. After a communication 
phase Bob either uses a strategy trying to convince Alice to or a strategy to convince 
Alice to 1. Depending on the results of the computations Alice decides to one the values 
vb £ {0,1, err}; In case vb = err he rejects the protocol. Let Pi be the probability that 
Alice decides vb = i, and p err be the probability that Alice decides vb = err, when Bob uses 
strategy 0. Analogously, denote the probabilities qo,qi,q e rr for Bob's strategy 1. A protocol 
is (5,e)-binding if whenever Alice is hones, for any Bob's strategy it is true: if p er r,Qerr < £ 
then \po — qo\, \p± — q±\ < 5. A bit commitment protocol is (5, e)- sealing, if whenever Bob is 
honest and deposits a bit b s.t. Pr[6 = 0] = 1/2, for any Alice's strategy and a value c Alice 
learns, it holds that: if Prft gH { 0i i} [Bob detects error] < e then Pr(, efl { 0j i} [c = b] < 1/2 + 5. 
The probability is taken over b taken uniformly from {0, 1} and the protocol. 

Theorem 3 Using Protocol^ as a black-box for computing OT, Protocol^ is an (4-^/e, e)- 
sealing. Moreover, there exists a constant A > such that for all strategies Bob uses it holds 
max{p err , q err } > X, where p err (q e rr) denotes the probability that Alice decides error when 
Bob uses strategy for (1 resp.). 

Sketch of the proof: First, we note that in both calls to the OT function the inputs that 
come into play in this executions are completely uncorrelated from the point of view of both 
Alice and Bob. So, we can analyze them distinctly. 

To see that this protocol is sealing we note that Alice in each call to OT function has to 
take into account that with probability \ Bob will check whether she knows what actu- 
ally he has received during execution of this protocol. Moreover her cheating is effective 
only if it is not checked, so only with probability of \. By Lemma if a strategy al- 
lows her to distinguish between possible values of b' with advantage greater than 4\/2e then 
Flc b'e R {o,i}[vc + OT((a 2 c,a 2 c+i),b')] > e. 

In case of binding, we first notice that it is only useful for Bob to cheat in some particular 
OT execution, chosen previously by Bob, which is used in the revealing phase for the binding 
test. So wlog assume Bob cheats in the second OT execution and that in the last step of the 
depositing stage he reveals c = 0. Let a' 3 , a' 4 , resp. denote the predicted values. Using the 
notation given in the definition of the binding property we get that p err = Pr[a 3 ^ 0,3], po = 
Pr[a' 3 = 03], and p\ = 0. Similarly we have q err = Pr[a 4 / 04], qo = 0, and q\ = Pr[a 4 = 04]. 
Now by Lemma 01 we get that if Pr[a^ / dj] < e 2 then Prfa'^ / ai_j] > 1/2 — 16 2 e and for 
some constant A > it follows that max{Pr[a^ 7^ a,i],Pr[a' 1 _ i 7^ ai-«]} > A. 1 

5 Concluding Remark 

In this paper a weak variant of quantum bit commitment is investigated. We give quantum 
bit commitment scheme that is simultaneously binding and sealing and we show that if a 
malicious Alice gains some information about the committed bit b then Bob detects this with 
a probability ^l(e 2 ). When Bob cheats then Alice's probability of detecting the cheating is 
greater than a constant A > 0. Using our bounds we get that the value is very small and an 
interesting task would be to improve the constant. 
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